Information Gathering (Reconnaissance)
Target Validation WHOIS, nslookup, dnsrecon
Finding Subdomains Google FU, dig, Nmap, Sublist3r, Bluto, crt.sh, etc
Fingerprinting Nmap, Wappalyzer, WhatWeb, BuiltWith, Netcat
Data Breaches HaveIBeenPwned, Breach-Parse, WeLeakInfo
Email Gathering Hunter.io
DNS Enumeration
DNS Recon
dnsrecon -r 127.0.0.0/24 -n IP -d anything(domain)
Domain Lookups
The Harvester
theharvester -d tesla.com -l 500 -b google